Tuesday, May 06, 2008

Privacy: Our Responsibility?

Last October I wrote about how, and why, encrypting the contents of our emails would guarantee that they are “private” under the 4th Amendment, for the same reasons sealed letters sent through the mail are “private.”

As I mentioned in that post, a three-judge panel of the Sixth Circuit Court of Appeals held, in June of last year, that the contents of emails stored with an ISP are “private,” notwithstanding the fact that they have not been encrypted. (U.S. v. Warshak)

That opinion was later vacated, and the entire Sixth Circuit heard arguments in the case last December. The government, not surprisingly, is trying to get the Sixth Circuit to change its mind.

We still don’t have a decision in the case, as of today, but I assume one will be coming soon. The government’s arguments in the case on rehearing go to procedural issues, mostly; they challenge Warshak’s standing, his right to bring the legal challenge, which is one way of giving a court an easy way to duck deciding a hard issue. The Sixth Circuit could simply say that Warshak lacked standing, and so it cannot properly address the 4th Amendment issue. I hope the court doesn’t do that, but it wouldn’t surprise me.

Thinking about what might happen with the Warshak case brings me back to the issue I wrote a bit on last October: encryption. If we all simply encrypted our emails, they would clearly be “private” under the line of Supreme Court authority I discussed last fall. By encrypting our emails, we would, in effect, be “sealing” them just as we seal envelopes we send through the mail; it is indisputable that we have a 4th amendment expectation of privacy in sealed letters, so it seems to follow inevitably that we would also have a 4th amendment expectation of privacy in our emails . . . if we encrypted them.

Why don’t we encrypt? As I noted last fall, we don’t because it’s a pain. It’s a pain because encryption is not seamlessly incorporated into our email programs, so I have to get the software (which is freely available and free) and learn how to use it and then use it and then get the people I correspond with to use it . . . and it just seems too much trouble.

We were talking about this in one of my cybercrime classes, and a student wondered why some ISP hasn’t come up with an easy, seamless, idiot-proof system for encrypting one’s emails. If an ISP could implement such a system, the default encryption would presumably be available only with regard to emails sent within the system, which would mean it would only apply to emails among users of the system.

But as my student pointed out, the advantages of such a system should make it popular enough to be very much of a commercial success (assuming this solution is technologically viable). And it would give all of us what is lacking now: a choice as to whether to, in effect, send a postcard and waive any expectation of privacy in the contents of our communications or to seal the envelope by encrypting and gain 4th amendment protection for our emails.

Another student had an alternative approach, one that would not require coming up with a system like the one I postulate above, one that allows users of a system to seamlessly encrypt their emails. He asked whether the users of an ISP would have a legitimate 4th amendment expectation of privacy in the contents of their emails if the ISP’s terms of service said, in effect, “We not only do not read the contents of emails sent through and/or stored on our service we have implemented measures that make it impossible for any of our employees to do so.”

In other words, the contractual provisions binding the ISP and its customers would guarantee that no one employed by the ISP would ever read emails sent via its system and/or stored on its system. The emails would, in effect, become like items we store in a safe deposit box at a bank; the bank “has” the items, but the bank has no legitimate access to them. The items are, therefore, private.

That’s a very interesting hypothetical. As I explained in a post in July, 2006 the reason we don’t have a 4th amendment expectation of privacy in the contents of emails stored with an ISP (or sent via an ISP) is that the contents CAN be read by employees of the ISP. As I explained in that earlier post, the Supreme Court held, about thirty years ago, that we do not have a 4th amendment expectation of privacy in information we “knowingly” reveal to third parties. So, under the Supreme Court’s precedents, we have no 4th amendment expectation of privacy in, say, our bank records or the records of what we buy at Amazon.com or any other transaction we carry out.

The student’s suggestion could be a clever way of getting around that holding. If the ISP establishes policies and procedures which guarantee that none of its employees will ever read emails sent via the system and/or stored on it, then those who use that ISP would not seem to have “knowingly” revealed that information to its staff. If they did not “knowingly” reveal that information, then they cannot, under the Supreme Court’s general approach to the 4th amendment, be held to have assumed the risk that an employee of the ISP would read their emails and share the information with law enforcement (without the latter’s obtaining a search warrant).

If the Sixth Circuit reverses the district court and holds that we do not have a 4th amendment expectation of privacy in our emails, then a system such as the one I outline above (courtesy of the suggestion from my student) could be a possible alternative for ensuring the privacy of unencrypted emails. I ran that possibility by a federal prosecutor and asked him what he thought of it; he said he thought, “someone could make a lot of money doing that.” We’ll see.